How can I find and trigger Server Actions directly, bypassing middleware protected pages they're on?
Unanswered
Spectacled bear posted this in #help-forum
Spectacled bearOP
As far as I am aware, server actions are not protected by middlware, leading to this guidance: https://nextjs.org/docs/app/building-your-application/data-fetching/server-actions-and-mutations#authentication-and-authorization
I am looking for a demonstration on how server actions which do not ensure that the user is authorized can be exploited.
I am looking for a demonstration on how server actions which do not ensure that the user is authorized can be exploited.
3 Replies
one example on how to exploit server actions is here: https://github.com/vercel/next.js/issues/63804
/foo
, it will be a POST /foo
). POST requests are properly managed by middleware just like GET requests. of course this assumes your middleware logic is correct.i realised message above contains a mistake. revision coming soon.
alright, so server actions are POST requests sent to the same path as the page triggering it. so in your app, the protected server action is only triggered from a page protected by middleware. but that's not a guarantee, since a bad actor can always just grab the action ID and use it to POST to a public page not guarded by middleware. since the action ID still matches and POSTing to any pages is allowed, the server action will be able to bypass the middleware.
that is what can happen, theoretically. however when i try to make a quick reproduction, the outcome is that your server will throw an internal error with
anyway yeah, theoretically speaking, from how server actions work, there is no guarantee that the middleware protecting the page calling the server action will be able to protect any valid server action requests coming from potentially malicious actors.
that is what can happen, theoretically. however when i try to make a quick reproduction, the outcome is that your server will throw an internal error with
⨯ uncaughtException: [Error: aborted] { code: 'ECONNRESET' }
. still a bad thing nevertheless.anyway yeah, theoretically speaking, from how server actions work, there is no guarantee that the middleware protecting the page calling the server action will be able to protect any valid server action requests coming from potentially malicious actors.